As computer systems become ubiquitous in both the home and industry, the ability for any one individual to access applications and data has increased dramatically. Although such ease of access has streamlined many tasks such as paying bills, ordering supplies, and searching for information, the risk of providing the wrong data or functionality to the wrong person can be fatal to an organization. Recent instances of data breaches at many consumer product companies and compliance with certain statutory measures (e.g., Health Insurance Portability and Accountability Act (HIPPA), Child Online Protection Act (COPA), Sarbanes-Oxley (SOX), etc.) has forced many companies to implement much stricter system access policies.
Historically, computer systems have relied on so-called “logical” authentication in which a user is presented a challenge screen and must provide one or more credentials such as a user id, a password, and a secure token. In contrast, access to physical locations (e.g., server rooms, file rooms, supply rooms, etc.) is typically secured using physical authentication such as a proximity-card or smart-card that, when presented at a card reader, grants access to the room or area. Recently, these two authentication techniques have been incorporated into single-system access authentication platforms. When used in conjunction with other more complex identification modalities such as biometrics, it has become very difficult to gain unauthorized access to secure systems.
Granting initial access is only half the story, however. Once a user has presented the necessary credentials to gain entry to a secure computer system, they may circumvent the strict authentication requirements by allowing other users to “piggy-back” on their credentials. Users departing from an authenticated session may fail to terminate the session, leaving the session vulnerable to unauthorized access. As a result, sensitive data may be exposed to access by unauthorized individuals.
Currently available commercial solutions for detecting user presence and departure suffer from significant practical limitations. For example, “timeouts” are used to terminate system access if keyboard or mouse activity is not detected over a period of time. Using these techniques, however, the detection of an operator's presence is not directly tied to sensing the operator and erroneous results may be generated in cases of extended passive interaction. Further, such systems cannot discriminate between different users and a timeout period introduces the potential for unauthorized use in secured systems.
Token objects such as passive or active tags carried by users may also be used to grant access to secure systems. Radio-frequency tokens may also be used to detect user departure based on a detected increase in distance between the token object and the base transceiver. However, these systems suffer from an inability to reliably resolve the distance between the token and receiver, which can result in a restricted or unstable detection zone. Furthermore, the devices can be readily swapped or shared, and are costly to install and manage. Other systems rely on the detection of any acoustically or optically opaque object within the detection zone. Again, such approaches suffer from various drawbacks, including having very limited detection zones and the inability to distinguish between different operators and detect the re-entry of previously authenticated users. Other suggested solutions have used body-mass detection devices such as a pressure mat, which can be easily fooled using non-human objects.
What is needed, therefore, are techniques and supporting systems that can determine when an otherwise authorized user is no longer interacting with a secure system, if another person is attempting to access the system without re-authentication, and allowing the authorized user to restore their session without needing to resubmit their credentials.